security: fix 10 vulnerabilities from security audit
- SSRF: block private/internal URLs in image cache fetch - SSRF: block private/internal URLs in RSS feed fetch (scheme guard) - SSRF: block private/internal URLs in CalDAV URL setting - Auth: require login for GET /api/images/<id> (was unauthenticated) - Auth: restrict Ollama model pull/delete to admin users only - Info disclosure: remove email from /api/users/search response - OAuth: skip email-based account linking when email_verified is false - Config: raise hard error on default SECRET_KEY when SECURE_COOKIES=true - Rate limit: document proxy header requirement; add startup warning - XSS: remove src/alt from global DOMPurify ADD_ATTR allowlist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -62,6 +62,13 @@ def create_app() -> Quart:
|
||||
"Set SECRET_KEY or SECRET_KEY_FILE for production use."
|
||||
)
|
||||
|
||||
if not Config.TRUST_PROXY_HEADERS:
|
||||
logger.warning(
|
||||
"TRUST_PROXY_HEADERS is not set. If this instance is behind a reverse proxy "
|
||||
"(nginx, Caddy, Traefik) set TRUST_PROXY_HEADERS=true so rate limiting uses "
|
||||
"real client IPs rather than the proxy IP."
|
||||
)
|
||||
|
||||
app.register_blueprint(admin_bp)
|
||||
app.register_blueprint(api)
|
||||
app.register_blueprint(auth_bp)
|
||||
|
||||
Reference in New Issue
Block a user